langx-java icon indicating copy to clipboard operation
langx-java copied to clipboard
verified publisher icon bes2008

Potential secutiry vulnerabilities in the shared library which langx-java depends on. Can you help upgrade to patch versions?

Open HelenParr opened this issue 3 years ago • 0 comments

Hi, @fangjinuo , I'd like to report a vulnerability issue in com.github.fangjinuo.langx:langx-java-gmssl:4.1.0.

Issue Description

com.github.fangjinuo.langx:langx-java-gmssl:4.1.0 directly depends on 2 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVEs:

libcrypto.so from C project openssl(version:1.1.0d) exposed 5 vulnerabilities: CVE-2019-1543, CVE-2018-0735, CVE-2017-3738, CVE-2017-3733, CVE-2019-1552

Suggested Vulnerability Patch Versions

openssl has fixed the vulnerabilities in versions >=1.1.1l

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, Helen Parr

HelenParr avatar Apr 22 '22 13:04 HelenParr